#RSAsummit
Agenda
Authentication Manager 8
Customer Use Cases
Risk Based Authentication (RBA)
RBA Integration and Deployment
#RSAsummit
SecurID / Authentication Manager 8
AM8 Compelling New Features
–
Risk-Based Authentication lowers authentication costs
–
Virtualization better control at lower cost;
–
Mix & Match between Virtual and/or Physical Appliance
–
Self Service & Admin Dashboards lowers TCO
–
Software Token Provisioning improves by 57%
Proven High Quality Release
AM Prime Suite – Advanced Token Lifecycle
Management Solutions
Archer Focused Solutions (Reporting)
Software Token 2.0 Improves User Experience
•
AM8.0 (Virtual Appliance) GA in
Mar 2013
•
AM 8.1 (Hardware Appliance)
GA in Dec 2013
#RSAsummit
A Few Months Left Until End of Primary Support (EOPS)
The Clock is Ticking
AM 6.1
–
EOPS Dec 2014
–
No extensions
–
Can migrate directly
to 8.x
–
No Appliance
migration
AM 7.1
–
EOPS Dec 2014
–
No extensions
–
Some Appliances
may migrate
For Migration Resources, visit
www.emc.com/am8
#RSAsummit
Risk Based
Authentication
#RSAsummit
On-Demand
PC / Web
Browser
Mobile
Embedded
Solutions
Fob / Card
Token
Hybrid
Smart Card
Passwords
Tokenless
Software Tokens
Hardware Tokens
Security & Flexibility
Convenience & Cost
Diverse User Populations Require Choice
Risk-Based Analytics
Employees, Temps, Contractors, Partners, Clients, Customers,
Auditors, Remote Workers
#RSAsummit
Manufacturing
Supply Chain Order Management
System hosted by XenApp
Enterprise Web Portal
Web Portals for Employee,
Contractor or Customer Services
RBA Use Case: Web-Based Remote Access
For Employees, Contractors, Partners and Clients
Employees &
Contractors
Partners &
Vendors
Clients
Employee Mobility
SSL VPN and web-based email
for employees & contractors
Healthcare
Health Clinics eliminating the
“token necklace” for medical staff
Professional Services
Exchange of sensitive information
with clients using an online portal
SSL VPN
OWA
SharePoint
Web Portals
#RSAsummit
AM8 RBA Customer Implementation
Large Global Media & Marketing Conglomerate with diverse portfolio
of broadcast, digital, mobile and publishing companies
Problem
Solution
Management of digital certificate environment for
authentication is time consuming, tedious and
costly
AM8, 15,000 RBA/ODA Licenses & 15,000 Software
Tokens for multifactor strong authentication, reduced
management & administration costs
Difficulty meeting PCI Compliance
Easily achieves PCI Compliance
Increased risk to the business with potential
outages and breaches
Strengthens access to sensitive applications with
strong authentication for all users (VPN and ODA)
7x24 availability via multiple replicas
VPN access is single factor into corporate network
RBA delivers multi-factor authentication, no impact
to user experience & lowers costs; Software tokens
meet strong 2-factor authentication requirement for
non-Web based applications
#RSAsummit
AM8 RBA Customer Implementation
Large North American City Municipality (Population = 1 Million+)
Problem
Solution
Access to HR portal access from internal corporate
network only
Rising help desk costs associated with employees
losing tokens, re-issuing tokens
Cost of issuing tokens to employees who only
require occasional access
Upgrade from AM7.1 to AM 8 Virtual Appliance with
Web Tiers, Self Service Console significantly lowered
deployment, maintenance, Help Desk costs
Deployed 18,000 RBA licenses; RBA licenses do not
expire and can easily be re-provisioned in AM 8
Network utilization, efficiency and negative
experience of dual authentication for an increasing
population of remote users accessing HR portal
indirectly via VPN from home office with a token.
HR portal access from anywhere using RBA has
streamlined operations, lowered cost and improved
user experience.
Tokens moving forward will only be given to users
who have access to critical assets other than their
own HR portal.
#RSAsummit
The AM8 RSA Risk Engine
RSA Risk Engine
•
Based on Adaptive Authentication Risk
Engine
–
Industry most proven & sophisticated risk engine
–
Protects 400+ million online identities over last
decade
•
Optimized for Enterprise Use Cases
–
Network Security vs. fraud mitigation
–
Predictable results vs. challenge rate
–
Assurance levels vs. risk scoring
–
Simple Deployment vs. customization
•
Self Tuning Risk Model Adapts to Customer Environment
–
Common device characteristics de-prioritized in risk score
#RSAsummit
Risk-Based Authentication
Strengthens Traditional Password Authentication
By Silently Applying Risk-based Analytics
Web Browser
RSA Risk Engine
Device
Identification
Behavior
User
PASS
FAIL
Protected
Resources
PASS
RISKY
Identity Challenge
?
On-Demand
Challenge
SSL VPN
OWA
SharePoint
Web
Portals
Authentication Policy
Assurance
Level
Activity
Details
Device
Fingerprint
Forensics
Network
Device
Token
Profile
Relative
Velocity
#RSAsummit
Risk Assessment
Device Identification
Analyzes Detailed Hardware & Software
Characteristics of Each Device
Behavior Analysis
Assesses Impact of Behavior Anomalies
Based on Frequency and Recentness
Device FingerPrint:
Collects & evaluates multiple
facts about user device such as User Agent String,
System Display, Software Fingerprint, Time Zone,
Languages, Enabled Cookies and Enabled for Java
Profile Anomalies:
Assesses Recent changes to
user profile such as password or account changes
Network Forensics:
Matches device IP
configuration to previously registered IP addresses
for user device; DHCP receives partial credit based
on strength of match
Comparative Anomalies:
Compare behavior
patterns and assesses behavior anomalies such as
new or infrequently used IP address
Device Token:
Identifies device using a combination
of anti-theft protected
Cookies & Flash Shared
Objects (FSO’s)
to prevent impersonation & future
identification & ensure unique match; Without Device
Tokens, strength of match determined by statistical
probability
Velocity Anomalies:
Compares the number of
occurrence within a specified period of time
(velocity) of a user vs. user population
Risk Engine automatically updates scoring algorithm based on statistical
probability of certain characteristics within each unique deployment
Increases
#RSAsummit
Assurance Levels
Assurance
Level
Description
Use Case
4 Pre-defined Levels
defined by Policy
Degree of confidence of each
user authentication attempt
Minimum assurance required to authenticate without challenge;
High
BEST for protecting sensitive
assets when higher challenge
rates are acceptable
Authentication from easily-identifiable or corporate-owned
assets (e.g. employee laptop)
Authenticate from same location (e.g. branch or home office)
Medium-High*
VERY GOOD for protecting
sensitive assets when higher
challenge rates not acceptable
Authentication from corporate & individual-owned assets when
policy can be dictated (e.g. cookies must be enabled).
Laptop users that frequently authenticate while traveling
Medium
GOOD when a balance between
protection and end user
convenience is required
Authentication from uncontrolled, non-managed assets (e.g., a
personal laptop or home PC)
When corporate policy cannot be enforced or when tracking
objects (e.g., cookies or FSO) cannot be reliably used
#RSAsummit
Device Matching Technique
Device
ID
Match
Behavioral Analysis Risk
Low High
Match based on two or more uniquely
identifying elements & statistical data
Strong
Weak
HIGH
HIGH
MED-HIGH
VERY LOW
Match based on one uniquely
identifying element plus statistical data
MED-HIGH
MEDIUM
LOW
VERY LOW
Match based on one uniquely
identifying element
MEDIUM
MEDIUM
LOW
VERY LOW
Match based on statistical data
VERY LOW
VERY LOW
VERY LOW
VERY LOW
Unrecognized / unbound device
VERY LOW
VERY LOW
VERY LOW
VERY LOW
Assurance Levels Adjusted for Behavioral Risk
#RSAsummit
Integration &
Deployment
#RSAsummit
End User On-Boarding
Per User by Security Domain
Silent Collection
Self-Service Console
Engine is passive
User login to Self-Service Console
Period of passivity is configurable
(14 Days is Recommended)
User enters step-up challenge based on
policy (Life Questions or On Demand)
User browser session information
collected during authentication
RBA is active immediately
Once assurance reached user
prompted in-line for step up
challenge*
No history
#RSAsummit
Risk-Based Authentication Flow
Access Granted
AM Web
Tier
SSL-VPN
S ecu rI D We b A gen tDMZ
Internet
Lo gin Pa ge (C us to m R BA scr ip t)Intranet
RBA integration script
redirects to AM web tier
Authenticate user
Create
“auth
artifact”
Return to
SSL VPN
Connect
to
SSL-VPN
AM Appliance
Risk Assessment
(challenge if necessary)
Protected
Resources
Validate artifact
using SecurID APIs
SS C C TKI P R BA
#RSAsummit
Certified RBA Integrations
#RSAsummit
RSA Authentication
Risk Analytics and Intelligence
AM8 Risk Based
Authentication
Adaptive Authentication
Target Market
Enterprise Web Based Applications
Enterprise / Consumer Portals
Risk Engine
Tuned for Predictable results
Tuned for Predictable challenge rates
Deployment Size Small to Medium - Up to 20,000 users Medium to Large - 10,000+ users
Integration
Plug-and-Play
PS Engagement
Administration
Self-tuning risk engine requires little
administration
Case management allows for manual tuning
by advanced administrators
Policy
Management
Simplified policy management with
pre-defined ‘assurance levels’
Advanced policy management allows
custom weighting of additional risk factors
Devices
Risk engine optimization specific to
SecurID
Risk engine optimizations specific to mobile
devices
20
#RSAsummit
20 © Copyright 2014 EMC Corporation. All rights reserved.
AM8 and Risk Based Authentication
Summary
Optimized for Enterprise Use Cases
Expands the Use of Strong Authentication for Cost Sensitive
Web Applications and Provides User Convenience
Low Cost Alternative for Hardware Authenticators
–
Simple Plug & Play Deployment
–
Combo License includes RBA & On-Demand Authentication (ODA)
–
No Expiration No Tokens to Purchase or Renew or Re-provision
Self Tuning Risk Model Adapts to Customer Environment
#RSAsummit
Common Device Identification Values
Category
Attribute
Description
Token Attributes Cookie Valid browser cookie is present
Flash Valid flash cookie is present
Invalid_cookie Cookie is invalid, expired, or does not match host machine
Invalid_flash Invalid, expired or non-match Flash shared object (FSO) present on host machine No_device_matched Device not previously registered for this user
Network Attributes IP Matches previously known IP address for device
classc Matches previously known Class C subnet for device
classb Matches previously known Class B subnet for device
classa Matches previously known Class A subnet for this device
Device Fingerprint software Software fingerprint based on installed browser plug-ins
usrAgent User Agent String match
browser Browser version match
display Resolution (width/height) & color depth of the device’s display
httpAcceptLang Accept Language String (from the HTTP header)
userLang User Language Preferences
systemLang System Language Settings
browserLang Browser Language Settings
#RSAsummit
Common Behavioral Anomaly Events
Category
Anomaly
Description
Profile Anomalies dscPassw The user’s password was recently changed or reset
dscAddr The user’s address was recently updated
dscEmail The user’s email address was recently updated
dscPhone The user’s phone number was recently updated
dscChallengeMethod The user’s challenge method was recently changed dscSecretQuestion The user’s security questions were recently updated
dscProfile Multiple elements of the user’s account were recently changed or updated
dscClearDev The user’s device history was recently cleared
Velocity Anomalies (IP
address) numClassBUsr10d numClassBUsr30d High number of IP (class B) addresses for this user in the last 10 days High number of IP (class B) addresses for this user in the last 30 days
ipAge Length of time since this IP address was first recorded
ipLastHit Length of time since this IP address was last used
ipAuth Recent Identity Confirmation attempts from this IP address were unsuccessful numUsrsIp10m High rate of users authenticating from the same IP address over the last 10 minutes numUsrsIp1h High rate of users authenticating from the same IP address over the last hour numUsrsIp1d High rate of users authenticating from the same IP address over the last day Velocity Anomalies